“It is better to be unique than the best. Because, being the best makes you the number one but being unique makes you the only one”1
'Being unique makes you the only one' is the core principle of privacy of a person because personal autonomy, personal data, dignity, and personal activities are the aspects that create a specific identity of a person and differentiates such person from the entire world. Personal information and data of a person can be used to identify and exploit such person and hence every person has the right to protect one's privacy against such exploitation. This right is known as the right to privacy. Privacy can be defined as a state of being free from public attention/knowledge to intrusion or interference with one's decisions or actions. While the right to privacy means the combination of the 'Right to personal autonomy' along with the ‘right of a person or property of such person, to be free from unwarranted public exposure or scrutiny’. The right to privacy is not only conferred by article 21 of the constitution of India but is also a fundamental human right recognized by several international conventions and treaties.
As said byJustice B.L. Hansaria,
“The golden triangle of our Constitution is composed of Articles 14, 19, and 21. Incorporation of such a trinity in our paramount parchment is for the purpose of paving such a path for the people of India which may see them close to the trinity of liberty, equality and fraternity."2
This statement highlights the importance of article 21 and makes it the utmost duty of the state to protect the right to privacy of its citizens as privacy and its protection is one of the fundamental pillars that hold the democracy of the country. The landmark case of K.S. Puttaswamy vs. Union of India3 was a milestone that brought the right to privacy into the limelight and highlighted the importance of its protection. It is after this case, the state started focusing on the protection of the personal data and privacy of its citizens. India does not have a specific statute for the protection of data yet, as the Personal Data Protection Bill, 2019 is not passed for enforcement. But the same is governed by IT Act, 2000 and IT (Intermediary Guidelines and digital media Ethics Code) Rules, 2021(IT Rules, 2021) currently. IT Rules 2021 have caused a major disturbance in the digital technology industry as it replaced and forefront certain new obligations before social media intermediaries and mandated the same for claiming protection under the safe harbour principle.
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 is a subordinate or substitute legislation that has suppressed India's Intermediary Guidelines Rules 2011. The IT Rules 2021 are based on the motion to "resolve the Government for strengthening the legal framework and making social media platforms accountable under the law", these rules are stemmed from section 87 of the Information Technology Act, 2000 and are a combination of the OTT Regulation and Code of Ethics for Digital Media and the draft Intermediaries Rules, 2018. On the other hand, the IT Act, 2000 provides a legal framework for electronic governance in India by giving recognition to all kinds of electronic records and digital signatures along with defining cyber-crimes and prescribing penalties for them. The Act enforces the formation of the Controller of Certifying Authorities for regulating the issuance of digital signatures and also establishes a Cyber Appellate Tribunal to resolve disputes arising from this new law. The Act also brought various amendments in different sections of the Indian Penal Code, 1860, the Banker's Book Evidence Act, 1891, the Indian Evidence Act, 1872, and the Reserve Bank of India Act, 1934 to make them compliant with new and emerging technologies.
Safe harbour principle/immunity is mentioned under section 794 of the IT Act, 2000 and is an immunity clause that protects social media intermediaries against third party content on its platform when the intermediary has observed the ‘due diligence’ as per the Act and Rules. After replacing IT Rules, 2011 the It Rules 2021 has introduced additional provisions in the due diligence to be observed by the social media intermediary to claim protection and the same additional provisions have resulted in a major shockwave for the digital technology industry around the globe. Under Rule 4(2)5 of the IT Rules, 2021 a social media intermediary should additionally observe that such intermediary can be asked to trace the first originator of a message or a post or a tweet for prevention, investigation, detection, punishment, or protection of an offence related to sovereignty or integrity of India, friendly relations with other states, security of the state, or public order or incitement of any of the offences mentioned above or other offences related to sexual abuse/ assault or rape, child abuse or any offence that is not punishable with less than 5 years. This rule is breaking the principle of interoperability and common standards on which the open internet is operating. This rule is asking intermediaries like WhatsApp to archive what people are sharing through the platform, by breaking end-to-end encryption of a conversation and violate the absolute right of privacy.
On the other hand under Rule 4(4)6 of the IT Rules 2021, social media intermediaries are mandated to put endeavours and deploy automated tools and technology-based measures to proactively identify information that depicts or stimulates any form of rape, child abuse activities, whether explicitly or impliedly. The intention of enactment of rule 4(2) and rule 4(4) might be coping with the technological advancements and bring security measures at parity with the constantly evolving technology, but mandating these provisions on social media intermediaries is forcing them to risk or breach the privacy of the citizens of India. Under rule 4 (4), intermediaries like WhatsApp will have to breach end-to-end encryption to identify the information shared, resulting in the absolute breach of privacy. Apart from this the IT Rules 2021 are also burdening the intermediaries with various other obligations like under rule 4(1) (a)7 an intermediary must appoint Chief Compliance Officer who will be responsible for ensuring compliance with the Act and Rules and shall be liable for third-party information for the particular platform. Rule 4 (1) (b)8 mandates the appointment of a Nodal Contact Person for 24*7 coordination with law enforcement agencies. Subclause (c) of rule 4 mandates the appointment of Resident Grievance Officer and subclause (d) of rule 4 mandates the publishing of a periodic compliance report every month. These clauses are not only increasing the workload on the intermediaries but also increasing complexities, affecting the effectiveness of intermediaries' functioning.
Aggrieved by various obligatory provisions of IT Rules 2021 and specifically rule 4 (2) for tracing the originator of a message, various cases have been filed in different high courts challenging the constitutionality of IT Rules 2021. One of these cases is filed by WhatsApp before the High Court of Delhi. In the petition submitted by WhatsApp before the high court, it states that rule 4(2) is violating Article 14, 19 (1) (a), 19 (1) (g), and article 21 of the constitution and is also illegal as the rule obligates to breach into the privacy of citizens by breaking end-to-end encrypted messages. The rule states that an intermediary should identify the first originator of a message; this concept of identification is known as ‘traceability’. Technology and privacy experts have determined that traceability breaks end-to-end encryption and would severely undermine the privacy of billions of people who communicate digitally.9 As it cannot be predicted which message the government wants to investigate, the government has mandated traceability over every message that has been received or sent through the platform, enabling a new form of mass surveillance. For compliance with this rule, the intermediaries will have to maintain a giant and constantly growing data record of every message transmitted on the platform or would have to add a permanent identity stamp to every message which will act as a fingerprint for that message and will be used to trace it.
The effort of the government to enable traceability is not only breaching the privacy of citizens by breaking end-to-end encryption but is also ineffective and highly susceptible to abuse. Suppose a person, in good faith, took a screenshot and resends it, or copied a message and resends it, or copied an article on WhatsApp that someone mailed him, then the person would be determined as the first originator of that content and will be caught up in the investigation of a crime that he is not a part of. If we look at the entire picture as a tree, it is obvious that investigating one branch of the tree will not lead towards its roots without crossing different joints of different branches into the investigation. Secondly, the application of traceability is reversing the process of investigation as generally during an investigation the technology companies provide information of an individual to investigating authorities for complying with the legal proceedings. But in the case of traceability, the investigating authorities will provide certain information and ask the intermediary to determine the first originator of the same.
Protecting citizens' privacy is the utmost duty of the state as the right to privacy is one of the fundamental pillars holding the democracy of the country. Hence for protecting the same Hon'ble justice D.Y. Chandrachud has put forth a three-part test for making a law to invade the privacy of a person, by stating that,
"A law which encroaches upon privacy will have to withstand the touchstone of permissible restrictions on fundamental rights. In the context of Article 21, an invasion of privacy must be justified on the basis of a law which stipulates a procedure which is fair, just and reasonable. The law must also be valid with reference to the encroachment on life and personal liberty under Article 21. An invasion of life or personal liberty must meet the threefold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate State aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them”.10
Therefore any law which intends to invade the privacy of a citizen shall meet these three touchstones to be constitutionally valid. Rule 4(2) is prima facie not meeting the same as the rule is obligating an intermediary break the end-to-end encryption and breach privacy of a person for investigating a crime that is not committed by such person. Forcing an intermediary for breaching the privacy of a person does not create a rational nexus between the object and means used to achieve such information cannot be a proportional law.
On the other hand, if the identification of the first originator of the information is imposed then India will be undermining the following; for example, (i) journalists will face a great risk of retaliation from investigating certain issues which are supposed to be concealed. (ii) Client and attorney will become reluctant to share information knowing that the privacy of their communication is compromised. (iii) Civil and political activists will be at risk of retaliation for taking action or discussing certain rights, policies, or activities related to the same. It depends on the will of a person sharing information, with whom he wants to share such information or even reveal his identity. It is the right of a person to select the audience before which such person wants to reveal his identity and remain anonymous to others as also stated by the Supreme Court in the case of Central Public Information Officer, Supreme Court vs. Subhash Chandra Agrawal11 that, the right to privacy includes the right to anonymity12. The impugned provisions of IT Rules, 2021 appear to be arbitrary and seem to be an effort made by the government to find an instantaneous solution for the problem that can be solved with other means and without compromising the privacy of citizens making it unconstitutional. As mentioned in the case of Ram Jeth Malani vs. Union of India13 that, “Fundamental rights cannot be sacrificed on the anvil of fervid desire to find instantaneous solutions to a systematic problem”14
International bodies like the International Coalition of Civil Society Organisation and Security Researchers (ICCSOSR) are not only concerned about the compromised privacy of people but also states that the rules are a violation of Human Rights to speech and expression of the citizen of India. Concerned by the same, ICCSOSR wrote a coalition letter to the then minister of Law and Justice and electronics and IT, Mr. Ravi Shankar Prasad and state that, "India is a state party to the International Covenant on Civil and Political Rights (ICCPR), which restricts permissible limitations on freedom of expression to only those that are “necessary” and specified in Art. 19 (3).”15 Furthermore, the UN Human Rights Committee in its general comment no. 34 mentioned that
“Any restrictions on the operation of websites, blogs or any other internet-based, electronic or other such information dissemination system, including systems to support such communication, such as internet service providers or search engines, are only permissible to the extent that they are compatible with paragraph 3(Article 19 of ICCPR).”16
On the other hand, special rapporteurs of the UN for promotion and protection of the right to freedom of expression and opinion, for the right to privacy, and the right to freedom of peaceful association and assembly have written to the government of India stating that the IT Rules 2021 do not conform with the international norms of human rights. In the communication, The Special Rapporteur on the right to privacy has consistently supported encryption as an ‘effective technical safeguard’ that can, among other technical solutions, contribute to the protection of the right to privacy.17
Several legal battles are awaiting the present issue as the question is of the privacy of citizens of India and protection of the same from mass surveillance intended by the government. Section 66 A18 of the IT Act, 2000 made it a punishable offence to share any "grossly offensive" or menacing content through a communicating device over the internet, it was struck down by the Supreme Court of India in the case of Shreya Singhal vs. Union of India19 for being unconstitutional on the grounds of violating the right to speech and expression under Article 19(1) (a)20 of the constitution. The court also stated that the provision is also null and void as the provision was very ambiguous. Today the same question prevails before the Hon'ble court and the faith of the public remains firm with the apex court of India. On the other hand, as section 66A was declared unconstitutional, it was the duty of the government to bring a law that deals with the issue more precisely and systematically and to bring a law that is proportional to its cause. A fundamental right is the most basic right owned by a person by the virtue of one's existence and the same cannot be sacrificed for a fervid desire to find an instantaneous solution to a problem.